The information and knowledge created and accumulated by organizations and businesses are their most valuable assets. As such, managing and keeping the information and the knowledge inside the organization and restricting its distribution outside is of paramount importance for almost any organization, government entity or business, and provides a significant leverage of its value. Most of the information in modern organizations and businesses is represented in a digital format. Digital content can be easily copied and distributed (e.g., via e-mail, instant messaging, peer-to-peer networks, FTP and web-sites), which greatly increase hazards such as business espionage and data leakage. In addition, the distribution of digital item requires resources, such as costly bandwidth and precious employees time.
Another aspect of the problem is compliance with regulations with respect to information: Regulations within the United States of America, such as the Health Insurance Portability and Accountability Act (HIPPA), the Gramm-Leach-Bliley act (GLBA) and the Sarbanes Oxley act (SOXA) implies that the information assets within organizations should be monitored and subjected to an information management policy, in order to protect clients privacy and to mitigate the risks of potential misuse and fraud. In particular, the existence of covert channels of information, which can serve conspiracies to commit fraud or other illegal activities, pose severe risk from both legal and business perspectives.
Assigning a distribution and usage policy to digital items is therefore of great importance for the mitigation of the hazards and perils of unauthorized transport and for saving costly resources. However, in most cases, the distribution policy is hardly ever fully fulfilled: as with most pre-determined set of rules, many exceptions to the rules occur due to the varying needs in our ever-changing world and the fact that it is very hard, if not impossible, to anticipate all the possible scenarios and circumstances to which the predetermined rules should apply.
Furthermore, in general, there are many parameters that compliance is driven from, and those parameters may have several values. Therefore, compliance can be considered as a matrix, where the columns are the different requirements and the rows are systems and processes. Hence, in most cases, the result of an audit that was performed is a report that lists those issues rather than a simple yes or no.
Prior art solutions use mainly cumbersome manual solutions to overcome the problem—e.g., correcting and updating the distribution policy or providing an ad-hoc solution to any justified breach of the distribution policy.
There is thus a recognized need for, and it would be highly advantageous to have, a method and system that allows efficient management of quantitative and qualitative aspects of compliance with the distribution policy, which overcomes the drawbacks of current methods as described above.